Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A system, comprising: a memory that stores computer executable components; a processor that executes the computer executable components stored in the memory, wherein the computer executable components comprise: a modeling component that generates a mathematical model of a computer program product, wherein the mathematical model defines data flows through nodes of the computer program product that reach a protected node corresponding to a protected data object; and a security evaluation component that evaluates a security protocol of the computer program product using static program analysis of the mathematical model to determine whether any of the data flows provide a path to the protected node that does not proceed through security nodes in an order corresponding to the security protocol, wherein the security nodes are included in the nodes of the computer program product, wherein the security nodes comprise an authorization node that checks an authorization of an entity to access the protected data object and an authentication node that checks an authentication of the entity, and wherein the order comprises flow through the authentication node prior to flow through the authorization node.
This invention relates to computer program security and addresses the problem of ensuring secure data access within a computer program product. The system includes a memory storing computer executable components and a processor that executes these components. The components comprise a modeling component and a security evaluation component. The modeling component generates a mathematical model of the computer program product. This model represents data flows within the program, specifically focusing on flows that reach a protected node associated with a protected data object. The security evaluation component then analyzes this mathematical model using static program analysis. It evaluates the security protocol of the computer program product by determining if any data flows can reach the protected node without adhering to the specified security protocol order. The program product includes security nodes within its overall nodes. These security nodes are specifically an authorization node, which verifies an entity's permission to access the protected data object, and an authentication node, which verifies the entity's identity. The security protocol dictates that the authentication node must be traversed before the authorization node in any data flow path to the protected node. The evaluation checks for any paths that bypass this required order.
2. The system of claim 1 , wherein the using the static program analysis comprises evaluating the data flows as an interprocedural control-flow graph reachability problem using an interprocedural, finite, distributive, subset (IFDS) algorithm.
The system is designed for analyzing software programs to detect security vulnerabilities by evaluating data flows within the code. The analysis is performed using static program analysis techniques, which examine the program without executing it. A key aspect of this system is the use of an interprocedural control-flow graph reachability problem to model and analyze data flows. This approach involves constructing a graph that represents the control flow of the program, including interactions between different procedures or functions. The system employs an interprocedural, finite, distributive, subset (IFDS) algorithm to solve this reachability problem. The IFDS algorithm is particularly effective for analyzing data flows across multiple procedures, as it can efficiently track how data propagates through the program while maintaining precision. By leveraging this algorithm, the system can identify potential security vulnerabilities, such as data leaks or unauthorized access, by determining whether sensitive data can reach unintended locations. The analysis is scalable and applicable to large codebases, making it suitable for automated security assessments in software development environments.
3. The system of claim 1 , wherein the computer program product provides runtime environment protocol information employed by an operating system to execute one or more additional computer program products.
A system provides a runtime environment for executing computer program products, including a computer program product that supplies runtime environment protocol information to an operating system. This protocol information enables the operating system to execute one or more additional computer program products. The system includes a processor and a memory storing instructions that, when executed by the processor, perform operations to manage the runtime environment. These operations include receiving a request to execute a computer program product, determining the runtime environment protocol information required for execution, and providing this information to the operating system. The runtime environment protocol information may include specifications for memory allocation, process scheduling, and system calls, ensuring compatibility and proper execution of the additional computer program products. The system may also include interfaces for communicating with the operating system and other components, facilitating seamless integration and execution of multiple computer program products within the runtime environment. This approach enhances system efficiency by standardizing the execution process and reducing conflicts between different program products.
4. The system of claim 3 , wherein the protected data object comprises hardware or software of the operating system.
A system for securing data objects within an operating system environment addresses vulnerabilities in hardware or software components that are critical to system integrity. The system includes a protected data object, which can be either hardware or software of the operating system, and a security mechanism that enforces access controls to prevent unauthorized modifications or disclosures. The security mechanism may involve encryption, access restrictions, or integrity checks to ensure that the protected data object remains secure against attacks. The system may also include a monitoring component that detects and responds to unauthorized access attempts or tampering. By integrating security measures directly into the operating system's hardware or software, the system provides a robust defense against threats targeting core system components. This approach enhances overall system security by protecting foundational elements that are often exploited in cyberattacks. The system is particularly useful in environments where operating system integrity is critical, such as in enterprise networks, government systems, or embedded devices.
5. The system of claim 1 , further comprising: a report component that generates output information regarding whether any of the data flows provides the path to the protected node that does not proceed through the security nodes in the order corresponding to the security protocol.
This invention relates to network security systems designed to monitor and enforce security protocols within a network infrastructure. The problem addressed is ensuring that data flows within a network adhere to predefined security protocols, particularly when traversing security nodes in a specified order to reach protected nodes. The system detects and reports deviations from these protocols, which could indicate security breaches or misconfigurations. The system includes a monitoring component that tracks data flows within the network, identifying paths taken by these flows as they move toward protected nodes. It compares these paths against a security protocol that defines the required sequence of security nodes the data must pass through before reaching the protected node. The system determines whether any data flow bypasses or skips security nodes or follows an incorrect order, which could compromise security. Additionally, the system includes a reporting component that generates output information highlighting any detected deviations. This output provides details about which data flows failed to comply with the security protocol, including the specific paths taken and the security nodes that were bypassed or incorrectly ordered. The reporting component helps administrators identify and address potential security vulnerabilities in real-time, ensuring that all data flows adhere to the required security measures.
6. The system of claim 1 , further comprising: a notification component configured to generate a notification based on a determination that one or more data flows of the data flows provides the path to the protected node that does not proceed through the security nodes in the order corresponding to the security protocol.
This invention relates to network security systems designed to enforce security protocols by monitoring data flows between nodes. The problem addressed is ensuring that data flows between nodes follow a predefined security protocol, where data must pass through specific security nodes in a required order before reaching a protected node. The system detects deviations from this protocol, such as data flows that bypass or misorder the security nodes, which could indicate security breaches or misconfigurations. The system includes a monitoring component that tracks data flows within a network, identifying the path each flow takes between nodes. It compares these paths against a predefined security protocol, which specifies the sequence of security nodes that data must traverse before reaching a protected node. If a data flow deviates from this sequence—such as bypassing a required security node or proceeding out of order—the system generates a notification to alert administrators of the potential security violation. This notification may include details about the affected data flow, the expected path, and the actual path taken, enabling rapid response to security threats. The system enhances network security by proactively identifying and flagging non-compliant data flows, ensuring that all traffic adheres to the established security protocol. This is particularly useful in environments where strict access controls and data integrity are critical, such as financial institutions, government networks, or healthcare systems.
7. The system of claim 6 , wherein the notification comprises information indicating the computer program product has a security access control issue associated with the protected data object.
A system monitors and analyzes computer program products to detect security access control issues related to protected data objects. The system identifies vulnerabilities or misconfigurations in how software applications interact with sensitive data, such as files, databases, or other resources. When an issue is detected, the system generates a notification that explicitly indicates the presence of a security access control problem. This notification provides details about the specific vulnerability, allowing administrators or security teams to take corrective action. The system may also include components for scanning software applications, evaluating their access permissions, and comparing them against predefined security policies. By proactively identifying and reporting these issues, the system helps prevent unauthorized access or data breaches. The notification may be delivered through various channels, such as alerts, logs, or dashboards, ensuring timely awareness of potential risks. This approach enhances data protection by ensuring that only authorized entities can access sensitive information.
8. The system of claim 6 , wherein the notification comprises information identifying an amount of the one or more data flows that provides the path to the protected node that does not proceed through the security nodes in the order corresponding to the security protocol.
A system for monitoring and enforcing security protocols in network data flows involves detecting deviations from predefined security protocols. The system identifies data flows that bypass security nodes or follow an incorrect sequence of security nodes, which could expose protected nodes to unauthorized access or attacks. The system generates notifications when such deviations are detected, providing details about the affected data flows, including the amount of traffic that violates the protocol. This helps administrators quickly identify and address security gaps. The system may also include a monitoring module to track data flows in real-time and a comparison module to verify compliance with the security protocol. The notifications can be used to trigger corrective actions, such as blocking non-compliant traffic or re-routing it through the correct security nodes. The system is particularly useful in environments where strict security protocols are required, such as financial institutions, government networks, or critical infrastructure. By ensuring that all data flows adhere to the specified security protocol, the system enhances network security and reduces the risk of breaches.
9. The system of claim 6 , wherein the notification comprises information identifying the one or more data flows.
A system for network monitoring and alerting identifies and tracks data flows within a network to detect anomalies or security threats. The system monitors network traffic to detect data flows, which are sequences of related data packets exchanged between network endpoints. When an anomaly or security threat is detected, the system generates a notification to alert network administrators or automated response systems. The notification includes detailed information about the identified data flows, such as source and destination addresses, protocols, and flow characteristics, enabling quick identification and analysis of the affected traffic. This helps administrators or automated systems take appropriate actions, such as blocking malicious flows or investigating suspicious activity. The system may also correlate multiple data flows to provide a comprehensive view of network activity, improving threat detection and response efficiency. By providing detailed flow information in notifications, the system enhances situational awareness and enables faster incident resolution.
10. The system of claim 2 , wherein the evaluating comprises propagating a data flow fact corresponding to the protected data product through the data flows and ending the propagating of the data flow fact only when the data flow fact reaches the authentication node before reaching the authorization node.
A system for managing data access and security in a computing environment involves tracking data flows to ensure proper authentication and authorization. The system monitors the movement of protected data products through a network of data flows, where each data flow represents a transfer or processing step. The system evaluates these data flows by propagating a data flow fact—a marker or identifier associated with the protected data product—through the network. This propagation continues until the data flow fact reaches an authentication node, which verifies the identity of the entity accessing the data. The propagation stops before the data flow fact reaches an authorization node, which would otherwise determine whether the authenticated entity has permission to access the data. This ensures that authentication occurs before authorization, preventing unauthorized access by enforcing a strict sequence of checks. The system may include multiple data flows, nodes, and protected data products, with the ability to track and control data movement dynamically. The approach enhances security by enforcing a structured access control process, reducing the risk of data breaches due to improper authorization sequences.
11. The system of claim 10 , wherein the security evaluation component determines that a data flow of the data flows violates the security protocol based on the data flow fact reaching the protected node in association with propagation through the data flow.
A system for analyzing data flows in a network to detect security protocol violations. The system monitors data flows within a network to identify potential security risks by evaluating whether data flows comply with predefined security protocols. The system includes a data flow tracking component that captures and records data flow facts, which are metadata describing the characteristics and propagation path of each data flow. A security evaluation component analyzes these data flow facts to determine if any data flow violates a security protocol. Specifically, the system checks whether a data flow reaches a protected node in the network after propagating through the network in a manner that indicates a security violation. The protected node may be a critical system, sensitive data repository, or other high-value asset that requires strict access controls. The security evaluation component flags any data flow that reaches the protected node in association with its propagation path, indicating that the data flow may have bypassed security measures or followed an unauthorized route. This system helps organizations detect and mitigate security risks by identifying suspicious data flows that could compromise network integrity or expose sensitive information.
12. The system of claim 11 , wherein the security evaluation component identifies respective nodes included in the data flow based on the respective nodes connecting to the protected node and being associated with an intact representation of the data flow fact.
A system for analyzing data flows in a network to enhance security evaluations. The system identifies and evaluates nodes within a data flow to determine potential security risks. The system includes a data flow analysis component that tracks the movement of data between nodes in a network, identifying connections and interactions. A security evaluation component assesses the integrity of the data flow by verifying that nodes involved in the data transfer maintain an intact representation of the data flow fact, ensuring no tampering or unauthorized modifications. The system specifically identifies nodes connected to a protected node and checks if they retain the original, unaltered data flow information. This helps detect anomalies or malicious activities by confirming that data remains consistent as it moves through the network. The system improves security by ensuring data integrity and detecting unauthorized access or tampering within the data flow.
13. A computer program product that facilitates identification of security access control violations associated with a second computer program product, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to: generate, by the processor, a mathematical model of the second computer program product, wherein the mathematical model defines data flows through nodes of the second computer program product that reach a secure node corresponding to a secure resource; and evaluate, by the processor, a security protocol of the second computer program product using static program analysis of the mathematical model to determine whether any of the data flows provide a path to the secure node that does not proceed through security nodes in an order corresponding to the security protocol, wherein the security nodes are included in the nodes of the second computer program product, wherein the security nodes comprise an authorization node that checks an authorization of an entity to access the secure resource and an authentication node that checks an authentication of the entity, and wherein the order comprises flow through the authentication node prior to flow through the authorization node.
This invention relates to computer security, specifically identifying violations in access control protocols within software applications. The problem addressed is ensuring that software applications correctly enforce security protocols, particularly the sequence of authentication and authorization checks before granting access to secure resources. The invention involves a computer program product that analyzes another software application to detect security access control violations. It generates a mathematical model of the target software, representing data flows through its components (nodes) that lead to secure resources. The model maps how data moves through the software, including security nodes like authentication and authorization checkpoints. Using static program analysis, the invention evaluates whether data flows correctly follow a predefined security protocol. The protocol requires that authentication (verifying an entity's identity) must occur before authorization (verifying permissions). The system checks if any data flow bypasses this order, potentially exposing security vulnerabilities. If violations are found, the system flags them for review. This approach helps developers and security analysts identify and fix flaws in access control mechanisms, reducing risks of unauthorized access to sensitive resources. The method is automated, scalable, and applicable to various software systems.
14. The computer program product of claim 13 , wherein the using the static program analysis comprises evaluating the data flows as an interprocedural control-flow graph reachability problem using an interprocedural, finite, distributive, subset (IFDS) algorithm.
This invention relates to static program analysis techniques for evaluating data flows in software. The problem addressed is the need for efficient and accurate analysis of data flows across procedures in a program, which is critical for identifying security vulnerabilities, ensuring data integrity, and verifying program correctness. Traditional methods often struggle with scalability and precision when analyzing complex, multi-procedural programs. The invention uses an interprocedural, finite, distributive, subset (IFDS) algorithm to model data flows as an interprocedural control-flow graph reachability problem. The IFDS algorithm is designed to handle the challenges of analyzing programs with multiple procedures by breaking down the problem into smaller, manageable subsets. This approach ensures that data flows are tracked accurately across procedure boundaries, even in large and complex programs. The algorithm's finite and distributive properties allow it to scale efficiently, making it suitable for real-world applications where performance is critical. By leveraging the IFDS algorithm, the invention enables precise and scalable static analysis of data flows, which can be used to detect potential security issues such as information leaks, unauthorized data access, and other vulnerabilities. The technique is particularly useful in environments where software reliability and security are paramount, such as in critical infrastructure, financial systems, and cybersecurity applications. The invention improves upon prior methods by combining the precision of interprocedural analysis with the efficiency of subset-based reachability algorithms.
15. The computer program product of claim 13 , wherein the second computer program product provides runtime environment protocol information that can be used by an operating system to execute one or more additional computer program products.
This invention relates to computer program products and their interaction with operating systems. The problem addressed is the lack of standardized runtime environment protocol information that allows an operating system to properly execute additional computer program products. Without this information, operating systems may struggle to manage dependencies, allocate resources, or ensure compatibility between different software components. The invention involves a computer program product that includes a second computer program product. This second product provides runtime environment protocol information, which is a set of specifications or instructions that define how the operating system should handle the execution of one or more additional computer program products. This information may include details about required libraries, system calls, memory allocation, or other runtime conditions necessary for proper execution. By supplying this protocol information, the operating system can dynamically adapt to the needs of the additional software, improving compatibility and reducing errors during execution. The solution ensures that the operating system has the necessary guidance to manage the runtime environment effectively, allowing seamless integration and execution of multiple computer program products.
16. The computer program product of claim 13 , wherein the secure resource comprises hardware or software of the operating system.
A system and method for securing computing resources involves protecting hardware or software components of an operating system from unauthorized access or tampering. The invention addresses vulnerabilities in computing environments where critical system resources are exposed to potential attacks, such as malware or unauthorized users. The solution includes a security mechanism that enforces access controls and integrity checks on designated secure resources, which may include hardware components like processors, memory, or storage devices, as well as software elements such as system libraries, kernel modules, or configuration files. The security mechanism monitors and restricts interactions with these resources, ensuring that only authorized processes or users can access or modify them. This approach enhances system security by preventing unauthorized modifications, data breaches, or system compromises. The invention may be implemented as part of an operating system, a security module, or a dedicated hardware component, depending on the specific requirements of the computing environment. By protecting both hardware and software components of the operating system, the solution provides a comprehensive defense against a wide range of security threats.
17. The computer program product of claim 13 , wherein the program instructions are further executable by the processor to cause the processor to generate output information regarding whether any of the data flows provides the path to the secure node that does not proceed through the security nodes in the order corresponding to the security protocol.
This invention relates to computer security systems that enforce security protocols by validating data flow paths through security nodes. The problem addressed is ensuring that data flows between nodes in a network adhere to predefined security protocols, where deviations could expose vulnerabilities. The invention provides a method to detect and report any data flow that bypasses or incorrectly sequences security nodes, potentially compromising security. The system analyzes data flows within a network to determine if they follow the required security protocol. It identifies a secure node as the destination and checks whether the path to this node includes all necessary security nodes in the correct order. If a data flow skips a security node or follows an incorrect sequence, the system generates output information indicating the deviation. This output can be used to alert administrators, block the flow, or trigger corrective actions. The invention includes a processor executing program instructions to perform these checks. The system can be integrated into existing network monitoring or security frameworks to enhance protocol compliance. By detecting unauthorized or improperly routed data flows, the invention helps prevent security breaches and ensures adherence to organizational security policies. The solution is particularly useful in environments where strict data handling protocols are mandatory, such as financial institutions, government agencies, or healthcare systems.
18. The computer program product of claim 13 , wherein the program instructions are further executable by the processor to cause the processor to generate a notification based on a determination that one or more data flows of the data flows provides the path to the secure node that does not proceed through security nodes in the order corresponding to the security protocol.
This invention relates to network security, specifically ensuring data flows comply with a predefined security protocol by validating the sequence of security nodes they traverse. The problem addressed is the risk of unauthorized or insecure data paths that bypass required security checks, potentially exposing sensitive data to threats. The solution involves monitoring data flows within a network to detect deviations from an expected security protocol sequence. When a data flow is identified that does not follow the correct order of security nodes (e.g., skipping a firewall, intrusion detection system, or encryption gateway), the system generates a notification to alert administrators or trigger corrective actions. The notification may include details about the non-compliant path, such as the source, destination, and specific security nodes bypassed. This ensures that all data adheres to the intended security protocol, reducing vulnerabilities and maintaining compliance with organizational policies. The system may also log these events for auditing purposes. The invention is implemented as a computer program product with executable instructions that analyze network traffic, compare it against the expected security node sequence, and generate alerts when discrepancies are found. This approach enhances network security by enforcing strict adherence to security protocols and providing visibility into potential breaches.
19. The computer program product of claim 13 , wherein the evaluating comprises propagating a data flow fact corresponding to the secure resource through the data flows and ending the propagating of the data flow fact only when the data flow fact reaches the authentication node before reaching the authorization node.
This invention relates to computer security, specifically methods for analyzing data flows to enforce access control policies. The problem addressed is ensuring that authentication occurs before authorization in data processing systems, preventing unauthorized access to secure resources. The invention involves a computer program product that evaluates data flows within a system to verify proper access control sequencing. The evaluation process propagates a data flow fact corresponding to a secure resource through the system's data flows. The propagation stops only when the data flow fact reaches an authentication node before reaching an authorization node. This ensures that authentication is performed before authorization, maintaining security policies. The system includes nodes representing different processing stages, with authentication nodes verifying user credentials and authorization nodes checking access permissions. The data flow fact represents a request or operation involving a secure resource. By tracking the propagation path, the system confirms that authentication precedes authorization, preventing security vulnerabilities where authorization might occur without prior authentication. This approach is particularly useful in distributed systems or applications where data flows between multiple components, ensuring consistent enforcement of access control policies across the entire system. The invention helps prevent security breaches by guaranteeing proper sequencing of authentication and authorization steps.
20. The computer program product of claim 19 , wherein the program instructions are further executable by the processor to cause the processor to: determine that a data flow of the data flows violates the security protocol based on the data flow fact reaching the secure node in association with propagation through the data flow.
This invention relates to computer security systems that monitor data flows to detect violations of security protocols. The problem addressed is the need to identify and prevent unauthorized or malicious data propagation within a network, particularly when data flows reach secure nodes after propagating through the network. The system involves a computer program product that analyzes data flows to determine whether they comply with predefined security protocols. The program instructions are executed by a processor to monitor data flows and track their propagation through the network. When a data flow reaches a secure node, the system evaluates whether the data flow fact (a representation of the data flow's characteristics and path) indicates a violation of the security protocol. This evaluation is based on the data flow's propagation history and its association with the secure node. If a violation is detected, the system can take corrective actions, such as blocking the data flow or alerting security personnel. The system may also include mechanisms to generate and store data flow facts, which capture relevant information about the data flow's origin, path, and content. These facts are used to assess compliance with security protocols, ensuring that only authorized and safe data reaches secure nodes. The invention improves network security by dynamically monitoring data flows and enforcing security policies based on their propagation behavior.
Unknown
April 7, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.